psiphon

bluebar.php doesn't enforce in-proxy association

Bug #457470 reported by root on 2009-08-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	psiphon	Invalid	Unknown	Unassigned

Bug Description

* This page doesn't include check_user.php and doesn't do its own in-proxy association check (that the user is coming from the proxy they are limited to)
* It's not trivial to exploit this with just a web browser, as you'd have to move your cookie from one domain to another.

See original description

Tags:

Adam P (adam+) on 2009-10-29

Changed in psiphon:
status:	New → Confirmed

Rod (rod-psiphon) on 2009-11-24

visibility:

private → public

e.fryntov (e-fryntov) on 2010-05-06

tags:

added: category1

Revision history for this message

Adam P (adam+) wrote on 2010-05-06:

If the fix for Bug #552603 results in the removal of enforced proxy associations, this bug will go away.

Revision history for this message

e.fryntov (e-fryntov) wrote on 2010-06-09:

I think the whole 'include check_user.php' idea is obsolete.

There's no reason to either let user through or show login form for every php script anymore.

The only page that shows login form is this: https://hostname/login_url.

All unauthenticated requests will be denied access by mod_psiphon_auth as it set globally on the server at the document root level like this:

<Location />
PsiphonAuthEnable On
....
</Location>

There's no need to do any user authentication checking in php scripts anymore except for those that listed in the 'PsiphonNoAuth' directive.

Revision history for this message

e.fryntov (e-fryntov) wrote on 2010-06-10:

I'm going to go ahead and mark this bug as 'invalid'

Changed in psiphon:
status:	Confirmed → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.